How to implement a best-in-class SASE architecture

To support cloud-enabled digital transformation strategies, a tighter integration of security and SD-WAN architectures are top of mind for many CIOs and CISOs. That also includes cloud security and what is now known as secure access service edge (SASE) – the combination of WAN edge network capabilities with cloud-delivered security functions such as:

  • Secure web gateway (SWG)
  • Cloud access security broker (CASB)
  • Firewall-as-a-Service (FWaaS), and
  • Zero-trust network access (ZTNA) delivered in the cloud.

architecture SASE

As more applications and workloads migrate to the cloud, the role of an on-premises corporate data center has been significantly reduced, if not eliminated in some cases. Additionally, with the work-from-anywhere trend growing stronger, a defined security perimeter has essentially dissolved. Therefore, a SASE architecture brings a more secure and flexible way to connect users to applications hosted in the cloud, by not backhauling application traffic to a data center before forwarding it to the cloud. And by performing advanced security inspection directly in the cloud, users enjoy improved application performance – a better quality of experience.

SASE makes the initial assumption that no user can be trusted by default and thus maintains the least-privileged-access paradigm expressed through capabilities. It protects sensitive data by enforcing security policies with CASB capabilities. Additionally, a SWG protects organizations from web-based threats using several techniques such as URL filtering and malicious code detection. FWaaS provides next-gen firewall functionality in the cloud to analyze the traffic from multiple sources. Other security features such as remote browser isolation (RBI) isolates web users from the internet by rebuilding web pages free from malicious code.

SD-WAN is a critical foundation for SASE

As the trend of working-from-anywhere persists, organizations will need to continue operating branch offices, requiring SD-WAN capabilities and will even extend SD-WAN services to home offices and small offices. Meanwhile, they also must continue efforts to transform to a modern SD-WAN architecture; however, they must also factor in cloud-delivered security capabilities mentioned above, now called the security services edge (SSE).

The combination of an advanced SD-WAN and SSE creates a SASE architecture that secures access to the web, cloud applications, cloud services, and private applications that are still hosted in the data center. SSE functions can also include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration.

The key is that SSE is delivered as a cloud-based service and may be complemented by on-premises or agent-based components, such as a firewall with segmentation built into the SD-WAN software stack.

To protect internet-connected devices (IoT), which typically cannot host a zero-trust network access agent or VPN client, SASE should also be augmented with a zero-trust, identity-based access control framework that provides dynamic segmentation.

Better together: Advanced SD-WAN and SSE

The combination of an advanced SD-WAN and SSE empowers organizations to implement a comprehensive SASE architecture. As such, some security vendors have integrated basic SD-WAN functionalities into respective offerings. However, these vendors often lack the critical capabilities of an advanced SD-WAN solution, and thus organizations may consider a bifurcated approach that leverages the best of cloud security with an advanced SD-WAN.

After all, SD-WAN and SSE focus on two different yet complementary objectives: SD-WAN is about establishing a robust yet flexible connection, while SSE must constantly adapt to new cybersecurity threats. By procuring an advanced SD-WAN solution from an established SD-WAN vendor that is tightly integrated with best-of-breed edge cloud-delivered security vendor, an organization can build a SASE architecture without compromising on performance or security.

There are three sound reasons why organizations should select an advanced SD-WAN when implementing a best-of-bread SSE service:

An advanced SD-WAN is tightly integrated to SSE. Many security vendors provide basic SD-WAN capabilities and promote an “all in one” SASE solution. However, these security vendors are likely not necessarily well-integrated with other cloud-delivered security vendors’ solutions. That poses potential limits – or compromise – of either SD-WAN functionality or security functionality to an organization that adopts a single vendor solution.

For enterprises in some industries, especially heavily regulated ones, the security features required by the business may require multiple vendors’ solutions. Whereas, by adopting an advanced SD-WAN that provides native automated integrations with multiple SSE vendors, enterprises have the freedom of choice to adopt the security service solution or solutions that meet their needs to secure their businesses and meet compliance requirements. Through automated orchestration, a dual vendor SASE architecture is as easy to deploy and manage as a single vendor solution.

An advanced SD-WAN steers application traffic intelligently. This includes steering traffic based on its performance and security requirements as dictated by business needs. An advanced SD-WAN can identify applications on the first packet and intelligently route the traffic based on the organization’s set security policies. To simplify deployment and security policy configuration, policies are defined centrally and pushed seamlessly to each branch, enabling organizations to enforce a consistent security approach across all their locations.

Furthermore, through API-based integrations, advanced SD-WANs can automatically configure connections to public cloud providers supporting services such as AWS transit gateway and Azure virtual WAN, with the objective of improving performance and security. In both hybrid and multi-cloud environments, workloads can easily be moved from one cloud provider to another.

Finally, powerful SD-WANs can also accelerate application traffic to reach cloud applications and cloud-delivered security services by always selecting the best performing route based on advanced network health and performance measurements as well as local DNS resolution.

An advanced SD-WAN incorporates essential security features required at the branch. An advanced SD-WAN includes the right built-in security features to protect branch offices, including unified threat management with integrated IDS/IPS and a zone-based firewall to support micro-segmentation. These security features allow organizations to protect branch offices from malicious threats and to segment users, devices, and applications to meet compliance requirements. They also allow organizations to go beyond SASE by mitigating the risks associated with the exploding number of IoT devices, building a zero-trust architecture, whereas IoT devices, in most cases, employ a simpler architecture that does not support hosting ZTNA or VPN clients.

Therefore, a zero-trust security framework that provides identity-based access control and micro-segmentation must be adopted in addition to SASE to block the spread of malware. Additionally, built-in security features enable organizations to reduce equipment sprawl in branch offices by replacing multiple existing security devices, reducing maintenance, and overall operating costs.

At the end of the day, a robust SD-WAN is the foundational component of a SASE architecture. It provides a tight integration with best-of-breed security vendors and automates the orchestration and policy configuration with their cloud-delivered security services.

For organizations that can’t afford to not deploy a SASE architecture without compromise, a dual vendor approach with WAN services from a top SD-WAN provider and cloud-delivered security from a top SSE provider will provide the best option to enable the organization to continue their digital transformation journey.

Don't miss